Adobe Flash security hole

Vegita · 2010-06-11 08:37:23

As we all now, there's a huge security hole in flash. It's not a question, what to upgrade urgently in 32-bit systems, but the crap company Adobe didn't provide us a 64bit version of this new flash beta. The question is: In 64bit systems wouldn't it be better to package the nspluginwrappered nonsecholed version of flash? Or would it be too difficult, and it would even need a wiki entry? And from about when will be secure packages of flash will be available from arch repositories?

Allan · 2010-06-11 08:40:28

Vegita wrote:

And from about when will be secure packages of flash will be available from arch repositories?

When the maintainer gets to it... File a bug report with "critical" severity to remind them this one is important.

ngoonee · 2010-06-11 08:44:28

Isn't it simpler just to not use flash?

Pierre · 2010-06-11 08:47:39

It's not that critical afaik as your are only affected when Acrobat Reader is installed, which is not in our repos. (EDIT: Looks like this was true for only the recent hole; but they fixed 31 other holes)

We cannot include the nspluginwrapper as it would need a multi-lib system. Looks like they simply dropped 64bit support; the download page has been removed. Imho we should just move this crap to aur as it is no longer maintained upstream.

PS: See http://labs.adobe.com/technologies/flas … 64bit.html So on x86_64 pacman -R flashplugin is recommend as there wont be an update.

FeatherMonkey · 2010-06-11 10:01:18

Not sure there won't be an update but it looks like it will be behind, if at all...

from faq at bottom - product details http://labs.adobe.com/technologies/flashplayer10/

When will 64-bit versions of Flash Player 10.1 be available?
The 64-bit versions of Flash Player will not be in the initial release of Flash Player 10.1. We remain committed to bringing native 64-bit Flash Player to Windows, Mac, and Linux in the future. There are plans to replace the now closed Flash Player 10 for 64-bit Linux prerelease with a new release built on Flash Player 10.1.

Last edited by FeatherMonkey (2010-06-11 10:01:38)

Vegita · 2010-06-11 11:21:40

Pierre wrote:

PS: See http://labs.adobe.com/technologies/flas … 64bit.html So on x86_64 pacman -R flashplugin is recommend as there wont be an update.

I won't pacman -R flashplugin, until it turns out for x86_64, which version and how will be added to the repo by the maintainer. That was my question about. I don't want to play with aur/yaourt as I can't follow those versions, and I don't even want to.

Allan · 2010-06-11 11:26:44

I doubt any version will stay in the repos. If Adobe is not releasing a new version and the current one has security issues, we have no choice but to remove it.

Vegita · 2010-06-11 16:19:15

they released a usable beta, which is not secholed, but it's only for 32bits. My question is about how easy can be nspluginwrapper in 64bit for 32bit flash, as they dropped the 64 bit flash support for the new nonsecholed version? And in Ubuntu and Suse and Fedora, it's a pain, to "nspluginwrapperize" the 32bit flash under 64bit distro. But a good wiki entry could solve it easily.

agd · 2010-06-12 09:25:21

Pierre wrote:

It's not that critical afaik as your are only affected when Acrobat Reader is installed...

Where you read this? Adobe Security bulletin say that Flash Player, Adobe Reader and Acrobat have a critical vulnerabilit. But it don't say that problem only affect when you have flash and areader/acrobat.

http://www.adobe.com/support/security/a … 10-01.html

Pierre · 2010-06-12 10:38:13

I got this from http://www.heise.de/security/meldung/Ex … 19201.html (But as I noticed later there were 31 other problems fixed)

agd · 2010-06-12 12:50:15

Pierre wrote:

I got this from http://www.heise.de/security/meldung/Ex … 19201.html (But as I noticed later there were 31 other problems fixed)

Oh, very interesting. Do you know a url to test the bug?

I don't use acrobat. If the crash test are ok, i don't need find a solution for flash.

Pierre · 2010-06-12 12:54:57

It doesn't matter as this is only one of the 32 bugs that allow code injection.

eerok · 2010-06-12 13:14:27

I guess gnash isn't a viable interim solution? I haven't used it lately, so I don't know.

Looks like Ubuntu offered a a 64-bit Flash 10.1 plugin upgrade today... seems they wrapped the 32-bit version. I like the idea of a wiki article on how to use the 32-bit version on a 64-bit Arch system, since the alternatives s aren't very attractive. Sure, flash sucks, but life goes on.

zodmaner · 2010-06-12 16:16:49

There is an wiki article on how to install 32bit flash on a 64bit system, although it doesn't seem to be up-to-date.

Maybe we can update it to contain more up-to-date information?

EDIT: Found these two packages: nspluginwrapper-debian, nspluginwrapper-flash-prerelease, which combined with the aforementioned wiki article, should contain all nessary information on how to install 32bit flash using nspluginwrapper.

Last edited by zodmaner (2010-06-12 16:23:38)

Skripka · 2010-06-12 16:24:51

zodmaner wrote:

There is an wiki article on how to install 32bit flash on a 64bit system, although it doesn't seem to be up-to-date.
Maybe we can update it to contain more up-to-date information?
EDIT: Found these two packages: nspluginwrapper-debian, nspluginwrapper-flash-prerelease, which combined with the aforementioned wiki article, should contain all nessary information on how to install 32bit flash using nspluginwrapper.

From what I've been reading-32bit flash on x86_64 is broken if you're using a Webkit browser.

stryder · 2010-06-12 16:52:27

Serious question: While it is said that the linux version of flash is also vulnerable, what harm can it do? Does it have to be a specific linux flash exploit? Is the browser taken over or something worse? Someone mentioned code injection - what can that do to a user like me? Just trying to understand how these security issues affect me using arch.

agd · 2010-06-13 18:38:18

The vulnerability can be exploited from a web. Adobe Flash, by itself, is vulnerable.

The solution is update to Flash 10.1 (not possible on x86_64), uninstall Flash or restrict which sites are allowed to run Flash (Flashblock)

You can read about it on http://www.us-cert.gov/cas/techalerts/TA10-159A.html

Last edited by agd (2010-06-13 18:38:32)

Wintervenom · 2010-06-13 19:29:15

[This looks bad].

Last edited by Wintervenom (2010-06-16 00:29:10)

zodmaner · 2010-06-13 23:01:40

Well, I've just remove flashplugin and install both nspluginwrapper-debian and nspluginwrapper-flash-prerelease. Aside from few issues, like Flash sometime refuse to acknowledge a click and nspluginwrapper crashing on me a few times, everything have been working fine so far. It even works with Webkit based browsers (Chromium, surf) too.

So I guess for now using nspluginwrapper is the best solution for x86_64 user who wish to continue using Flash. It's not ideal, but it's better then nothing.

Last edited by zodmaner (2010-06-13 23:07:10)

Vegita · 2010-06-14 06:05:42

zodmaner wrote:

So I guess for now using nspluginwrapper is the best solution for x86_64 user who wish to continue using Flash. It's not ideal, but it's better then nothing.

So is it working out-of-the-box if I yaourt -S nspluginwrapper-flashanything? Or you played it manually?

zodmaner · 2010-06-14 07:19:09

Vegita wrote:

So is it working out-of-the-box if I yaourt -S nspluginwrapper-flashanything? Or you played it manually?

It work just like old flashplugin would (i.e., embedded inside a browser). Make sure you follow post install instructions properly (run "nspluginwrapper -v -a -i" as user after you have installed both packages) and you should be fine.

Noted that I edit nspluginwrapper-flash-prerelease package to use same sources as the one use by the current i686 flashplugin package in extra repository.

Last edited by zodmaner (2010-06-14 07:21:51)

berbae · 2010-06-14 08:43:57

It's not clear to me why nspluginwrapper would be needed, because there is in AUR the package lib32-flashplugin-prerelease 10.1.53.64-8, which has less dependencies.
Cannot that package work on x86_64 arch without nspluginwrapper, if all the needed lib32 libraries are installed ?
Please can someone give me explanations, thanks.

zodmaner · 2010-06-14 10:01:22

berbae wrote:

It's not clear to me why nspluginwrapper would be needed, because there is in AUR the package lib32-flashplugin-prerelease 10.1.53.64-8, which has less dependencies.
Cannot that package work on x86_64 arch without nspluginwrapper, if all the needed lib32 libraries are installed ?
Please can someone give me explanations, thanks.

Already try that one. In short: it doesn't work.

Apparently, 64bit Firefox could not recognize 32bit plugin, even if all the necessary lib32 packages are installed, which is why we need nspluginwrapper to act as a "middle man" between Firefox and Flash (someone please correct me if I'm wrong on this).

Anyway, don't let the huge dependency list scares you, both nspluginwrapper-debian and nspluginwrapper-flash-prerelease combined requires roughly the same dependencies as lib32-flashplugin, it's just that PKGBUILD of nspluginwrapper-debian listed all dependencies, while lib32-flashplugin only list the highest level ones.

If you don't believe me, try issuing the following command (which is the dependencies of lib32-flashplugin):

lib32-libxt lib32-gtk2 lib32-nss lib32-curl

and take note that it pulls in roughly the same number of packages that nspluginwrapper-debian package requires.

Last edited by zodmaner (2010-06-14 11:31:44)

ataraxia · 2010-06-14 14:50:33

berbae wrote:

It's not clear to me why nspluginwrapper would be needed, because there is in AUR the package lib32-flashplugin-prerelease 10.1.53.64-8, which has less dependencies.
Cannot that package work on x86_64 arch without nspluginwrapper, if all the needed lib32 libraries are installed ?
Please can someone give me explanations, thanks.

I believe that lib32-flashplugin-prerelease is supposed to be for using a completely 32-bit firefox on Arch64. (It's probably possible to use it with nspluginwrapper and a 64-bit firefox, as well, but the nspluginwrapper-flash-prerelease is probably easier to use for that case.)

Julius2 · 2010-06-14 17:36:01

ngoonee wrote:

Isn't it simpler just to not use flash?

That's still a pipe dream. I've seen people slowly, slowly start to use javascript and CSS3 for dynamic menus instead of Flash, and once HTML 5 is finalized we'll see more HTML5 video players instead of Flash ones, but Flash's death will be long and painful for all involved. It's in our interest to make sure there's a working, secure version of it for people who want it.

Arch Linux

#1 2010-06-11 08:37:23

Adobe Flash security hole

#2 2010-06-11 08:40:28

Re: Adobe Flash security hole

#3 2010-06-11 08:44:28

Re: Adobe Flash security hole

#4 2010-06-11 08:47:39

Re: Adobe Flash security hole

#5 2010-06-11 10:01:18

Re: Adobe Flash security hole

#6 2010-06-11 11:21:40

Re: Adobe Flash security hole

#7 2010-06-11 11:26:44

Re: Adobe Flash security hole

#8 2010-06-11 16:19:15

Re: Adobe Flash security hole

#9 2010-06-12 09:25:21

Re: Adobe Flash security hole

#10 2010-06-12 10:38:13

Re: Adobe Flash security hole

#11 2010-06-12 12:50:15

Re: Adobe Flash security hole

#12 2010-06-12 12:54:57

Re: Adobe Flash security hole

#13 2010-06-12 13:14:27

Re: Adobe Flash security hole

#14 2010-06-12 16:16:49

Re: Adobe Flash security hole

#15 2010-06-12 16:24:51

Re: Adobe Flash security hole

#16 2010-06-12 16:52:27

Re: Adobe Flash security hole

#17 2010-06-13 18:38:18

Re: Adobe Flash security hole

#18 2010-06-13 19:29:15

Re: Adobe Flash security hole

#19 2010-06-13 23:01:40

Re: Adobe Flash security hole

#20 2010-06-14 06:05:42

Re: Adobe Flash security hole

#21 2010-06-14 07:19:09

Re: Adobe Flash security hole

#22 2010-06-14 08:43:57

Re: Adobe Flash security hole

#23 2010-06-14 10:01:22

Re: Adobe Flash security hole

#24 2010-06-14 14:50:33

Re: Adobe Flash security hole

#25 2010-06-14 17:36:01

Re: Adobe Flash security hole

Board footer